Recent years have seen explosive growth of Internet-connected devices. Once limited to just personal computers and servers, now Internet connectivity is supported by printers, media devices (e.g., stereos, televisions, DVD players), mobile computing devices (e.g., cell phones, tablets), health-monitoring equipment (e.g., fitness trackers), household automation and monitoring devices (e.g., “smart” thermostats and locks), network-enabled kiosks (e.g., parking meters, vending machines), industrial control and monitoring devices (e.g., various types of sensors), connected cards, and so on. Many of these devices primarily conduct machine-to-machine transactions with server devices on the Internet. As such, they may need to be provisioned with a user's credentials, for instance a userid and password, before being fully authenticated and functional. Not only does this add complexity and user confusion to the device setup process, it also results in the user possibly sharing his or her credentials with multiple entities. As a result, the likelihood that the user's credentials are compromised increases accordingly. Given that billions of low-cost Internet-connected devices are expected to be deployed in the future, it is desirable to be able to provide inexpensive, automatic, secure provisioning and authentication technologies for these devices.